[ubuntu-hardened] hiding ssh version

TJ Easter tjeaster at gmail.com
Sun Apr 5 21:04:31 BST 2009

FWIW, I make use of all banner hiding capabilities on public services
(i.e., the ServerTokens parameter in Apache's configuration) as I do
consider it defense-in-depth.  However, with SSH potentially using the
version banner to negotiate features and functionality, I'd recommend
against using the patch.  I use iptables(8) to lock down access to my
SSH daemon -- in addition to libwrap -- so the only people who are
ever even able to see the banner are likely to be hosts that I "trust"

TJ Easter

On Sun, Apr 5, 2009 at 9:44 AM, Kees Cook <kees at ubuntu.com> wrote:
> Hi Dan,
> On Sat, Mar 28, 2009 at 03:09:36PM -0600, Dan Howerton wrote:
>> Is it not possible to get a package in the repos that incorporates this
>> patch and other hardening measures such as denyhosts? Possibly an
>> ssh-hardened package? It doesn't have to be something that is pushed out
>> with the distro by default but something that people can install if they
>> choose to.
> I don't think it makes sense to have a forked ssh package in the primary
> archive.  However, there's nothing to stop someone from building openssh
> with the patch and hosting it in their PPA.
> -Kees
> --
> Kees Cook
> Ubuntu Security Team
> --
> ubuntu-hardened mailing list
> ubuntu-hardened at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened

"Being a humanist means trying to behave decently without expectation
of rewards or punishment after you are dead."  -- Kurt Vonnegut, 1922
- 2007

More information about the ubuntu-hardened mailing list